What's Your Website Hiding?
As more companies are finding their way onto the Internet there has been an increase in the number of websites that have been compromised for theft of sensitive data and those that have been compromised for the purpose of spreading malicious software to unwary visitors.
Groups such as Zone-h have been tracking and identifying websites that have been defaced, but many of those that are being used in phishing runs and malware attacks are not so openly defaced. That is where other interest groups like PhishTank step in, identifying and tracking sites that are being used to host phishing pages that are actively being spammed or otherwise distributed. There are a number of other sources that also maintain lists of sites that are vulnerable to different attack vectors, such as XSS.
Some companies look to verification firms like Verisign and ScanAlert to routinely validate that their sites are not hosting malware or that they are vulnerable to known problems. Based on the number of sites identified as being vulnerable to well known, but somewhat difficult to completely mitigate against, attack vectors that also display that they have been successfully scanned by one of these companies, their effectiveness could be questionable.
The big problem with all of the above methods is that they are after the fact, they can only identify that a site is being actively used for phishing, or that it is protected against known problems. Automated scanning systems also have the problem of not being able to reliably detect all of the weaknesses (such as all of the XSS weaknesses) even if the mechanism of attack is well understood. What they can't protect against or identify is compromises that are low profile and those using advanced techniques to gain access.
As being reported by The Register, security firm Sophos is claiming that 6,000 new websites are being compromised on a daily basis for the purpose of spreading malware to unsuspecting victims (more than 2 million new site compromises each year). They go on to claim that 80% of those affected have no idea that their site has been compromised, a figure which is probably on the low side. The figure of 2 million new site compromises per year seems to be quite significant, but could be explained by virtual hosting servers with many sites on the one physical server being compromised, leading to the same vector affecting multiple sites (in some cases thousands of sites).
Complementary reporting which has emerged over the last week or so points to a number of embassies that have had their sites compromised to deliver malware, at least according to eSafe as reported by The Register. Further vulnerability and proof-of-concept disclosures from researchers who have been responsible for the recent UPnP disclosures (now being used in attacks) point to a problematic future for home users with small local networks, particularly through blended attacks.
There are an increasing number of voices that are pointing out the elephant-sized holes in the protective services that some companies are providing. What this has resulted in is a split forming, between these dissenting voices and some of the largest companies in the Information Security industry, that are conveniently many of those offering the protective services. When representatives of companies like Symantec are on record as saying that while XSS vulnerabilities are a serious risk, they have not really been used in actual attacks, then the efficacy of their service needs to be questioned. Others claim that XSS vulnerabilities can not be used to hack a server, which seems to contradict the findings of Sophos presented earlier, and also the claims of their own products.
Of course, many of those dissenting voices have a vested interest, offering their own competing black-box services (while ScanAlert is Nessus 2 - an open source application that anyone can run, themselves). Even with that bias, it doesn't discount the value of their arguments.
Note : S?nnet Beskerming has a vested interest in the above commentary, as we offer a range of blended protective services, mixing the best of automated and manual testing and evaluation systems.
25 January 2008
Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.
Comments will soon be available for registered users.